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Abstract 

We study shared randomness in the context of multi-party number-in-hand communi- 
cation protocols in the simultaneous message passing model. We show that with three or 
more players, shared randomness exhibits new interesting properties that have no direct 
analogues in the two-party case. 

First, we demonstrate a hierarchy of modes of shared randomness, with the usual 
shared randomness where all parties access the same random string as the strongest form 
in the hierarchy. We show exponential separations between its levels, and some of our 
bounds may be of independent interest (e.g., we show that the equality function can be 
solved by a protocol of constant length using the weakest form of shared randomness, 
which we call XOR-shared randomness) . 

Second, we show that quantum communication cannot replace shared randomness in 
the multi-party case. We demonstrate a promise function QVk that can be computed by 
a classical protocol of constant length when (the strongest form of) shared randomness is 
available, but any quantum protocol without shared randomness must send n^^^^' qubits 
to compute it. Moreover, the quantum complexity of QVk remains n^'^^ even if the 
"second strongest" mode of shared randomness is available. While a somewhat similar 
separation was already known in the two-party case, in the multi-party case our statement 
is qualitatively stronger: 

• In the two-party case only a relational communication problem with similar prop- 
erties is known. 

• In the two-party case the gap between the two complexities of a problem can be at 
most exponential, as it is known that 2'^^'^^\ogn qubits can always replace shared 
randomness in any c-bit protocol. Our bounds imply that with quantum commu- 
nication alone, in general, it is not possible to simulate efficiently even a three-bit 
three-party classical protocol that uses shared randomness. 



1 Introduction 

The area of communication complexity deals with the amount of communication required 
for solving computational problems with distributed input. In the 2-party simultaneous 
message passing (SMP) setting of communication complexity, two players Alice and Bob 
receive inputs x and y, respectively, and each sends a message to a third party, the referee. 
Using those messages, the referee computes the output value. When the goal is to compute 
certain function /, the success is measured by the probability that the output value of a 
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communication protocol equals f{x,y). The cost of a communication protocol is the total 
number of bits sent by the players to the referee. 

Shared randomness is a crucial resource in communication complexity: When Alice and 
Bob have it, they can use a mixed strategy in order to compute /; in particular, the Minimax 
principle implies that worst-case and average-case complexities are equal in this case. It is 
known that without shared randomness the model becomes considerably weaker, and the 
gap between the worst-case and the average-case complexities of a communication problem 
can be arbitrary large (constant vs. ^l{^/n) in the case of the equality function, as shown by 
Newman and Szegedy jNS96j ). 

The SMP model of communication is the weakest among those that have been studied 
widely. Nevertheless, it is arguably the right model to look at when the goal is to investigate 
shared randomness. That is due to the fact that whenever communication between the players 
is possible (which is the case for all other commonly studied models, but not for SMP), then 
the first player can append O(logn) bits of private randomness to the first message that 
is sent to the others, and that would not affect the cost of the protocol significantly (poly- 
logarithmic cost is viewed as efficient). Known to all the participants, those random bits 
can be used in the place of shared randomness. It is known due to Newman |New91j that 
O(logn) bits of shared randomness are always enough; therefore, shared randomness makes 
no difference in any model that allows direct communication between the players. 

In this paper we study shared randomness in the context of the multi-party version of 
the SMP model, where the number of players A; is 3 or larger (the referee is not counted as a 
player), the input has k fragments and each fragment is known to exactly one player - this 
regime of distributing input between the players is usually called "Number in Hand" . This 
model can be viewed as a natural generalization of the 2-party model. 

We demonstrate several interesting (and somewhat surprising) properties of shared ran- 
domness when the number of players is at least 3, that have no direct analogues in the 2-party 
case. 

1.1 Previous work 

In |Yao03] Yao showed that every classical 2-party SMP protocol that uses shared randomness 
and sends c bits can be simulated by a quantum protocol without shared randomness that 
sends 2*^^'^) logn qubits. This naturally raised the question whether quantum communication 
can always replace shared randomness - that is, whether any communication problem that can 
be solved by a classical SMP protocol of poly-logarithmic length using shared randomness can 
also be solved by a quantum protocol of poly-logarithmic length without shared randomness. 

The question was addressed by Gavinsky, Kempe, Regev and de Wolf in |GKRdW06| . 
where they demonstrated a 2-party relational communication problem that could be solved 
by a classical protocol of cost 0(log n) that used shared randomness, but required n^^^^ qubits 
in order to be solved by a quantum protocol without shared randomness. In the same work 
a question was posed whether a similar separation is possible via a functional problem. 

2 Our results 

Two main results of this work are the following. 
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First , we establish a hierarchy of modes of shared randomness (Section[3|). This is a proper 
hierarchy - i.e., we show exponential separations between its levels. 

One of the problems that we study in this context is the multi-party equality function, 
and we show (Claim 14. ip that it can be solved by a protocol of constant length that uses 
XOR-shared randomness, which is the weakest mode in the hierarchy (here the players receive 
uniformly random /c-tuples of bits whose parity is 0). We believe that this result might be of 
independent interest, due to the importance of the equality function. 

Second , we demonstrate a promise function that can be computed by a classical protocol 
of constant length when the strongest form of shared randomness is available (Section [5|). To 
compute the same function, any quantum protocol without shared randomness has to send 
qubits; moreover, the quantum complexity remains n^^^^ even if the protocol can use 
the "second strongest" mode of shared randomness - randomness on the forehead (in this 
case every k — 1 players share a random string; in particular, this mode is exponentially 
stronger than XOR-shared randomness for any A; > 3). 

Our second result is closely related to |GKRdW06j : We demonstrate a promise function 
that can be solved efficiently in the classical model with shared randomness, but not in the 
quantum model without it. This answers the main open problem posed in |GKRdW06j for 
the case of 3 or more players (the question remains wide-open for k = 2). 

Our second result is also related to the aforementioned result by Yao |Yao03j . In this 
work we demonstrate a (functional) communication problem that can be solved by a 3-bit 
3-party classical protocol with shared randomness but requires vP^^^ qubits without shared 
randomness (or even with shared randomness on the forehead). Accordingly, the possibility 
to simulate shared randomness by quantum communication is a unique feature of the 2 -party 
model; when A; > 3, the possible advantage of shared randomness over quantum communica- 
tion is not bounded by any function. 

2.1 Technical statements 

In the first part we prove the following. 
Theorem 2.1. Let k>3. Then 

• For each t € {3, . . . , k}, there exist a k-party promise function that can be solved by a 
protocol of cost t in the SMP model with classical communication and t-shared random- 
ness but requires Q.{kv}~^^~'^^ qubits in the SMP model with quantum communication 
and {t — \)-shared randomness. 

• There exist a k-party total function that can be solved by a protocol of constant cost in 
the classical SMP model with 2-shared randomness but requires Vl{y/n) bits of commu- 
nication in the classical SMP model with XOR-shared randomness. 

• There exist a k-party total function that can be solved by a protocol of constant cost 
in the classical SMP model with XOR-shared randomness but requires ^{^/n) bits of 
communication in the classical SMP model without shared randomness. 

In the second part of this work we study one of the most natural communication problems 
that can be solved efficiently by a classical SMP protocol with shared randomness. 



3 



Definition 1. (Gap-Parity) Let xi, . . . ,Xk ben-bit strings, such that \{i\ xi(i) (B ■ ■ ■ (B Xk{i)}\ 
[™/3, 2"/3], where Xj{i) denotes the i'th bit of Xj. Then 



QVk{xi, ■■■,Xk) 



jf |{i|xi(i)e...exfc(i)}| <"/2 

1 otherwise 



Note that in the SMP model with classical communication and shared randomness GVk 
has a trivial solution, where each player sends one bit to the referee. 

We will demonstrate that for A; > 3, GVk cannot be solved efficiently by a quantum 
protocol without shared randomness. Moreover, we define a hierarchy of modes of multi- 
player shared randomness, where the strongest mode corresponds to the usual type of shared 
randomness (all k players have free access to the same string of random bits), and show 
that the Gap-Parity problem has no efficient solution with quantum communication even 
with shared randomness of the second strongest mode in the hierarchy - "randomness on the 
forehead" (cf. Section H]). 

Theorem 2.2. Let k > 3. The k-party promise function QVk can he solved by a classical SMP 
protocol of cost k (where each player sends a bit), using shared randomness. For 2 < t < k — 1, 
in the SMP model with quantum communication with t-shared randomness, the complexity of 
GVk is (/cn^"*/'^) . In particular, in the SMP model with quantum communication without 
shared randomness, the complexity of GVk is il.(kn^~'^^'') . 



3 Preliminaries 

For any n-dimensional vector v, we will write v{j) to denote its j'th coordinate, and for any 
S C [n] we will use vs to denote the restriction of v to the coordinates that are elements of 
S. We use or 1 to denote the vectors of all O's or all I's, respectively, when its length is 
clear from the context. 

For any finite set W, let U{W) denote the uniform distribution over the elements of W. 



3.1 Quantum measurements 

Unless stated otherwise, we will represent quantum states by their density matrices. We will 
write Ei [cj] or even E [ci] to denote the mixed state ^ (jj. 

Given two quantum states (Tq and cJi, we denote by ||(To — o"i the trace distance between 
ctq and ai, defined as the half of the sum of the singular values of the matrix ctq — cti. It 
is known that the optimal probability with which a quantum measurement can correctly 
distinguish between ctq and cxi equals ^ + li^2_pJk:L_ 

We will use the following special case of the "random access code argument" |GKRdW06|, 
Lemma 2.2], which is a shght generahzation of |Nay99i Theorem 2.3] (see also |ANTSV02j ). 



Claim 3.1. Let X ~ ZY({0, 1}"). Suppose for each instantiation X = x we have a quantum 
state px of q qubits. Let ai be the expectation of px conditional upon X{j) = a, for a E {0, 1}. 
Then 

2 



E 



7 J 

ro - ^1 



tr 



eO{q). 



4 



Proof. Let h{p) be the binary entropy function: h{p) = —plog2P — (1 — p)log2(l — p)- 
Lemma 2.2 of |GKRdW06j implies that under the assumption of the claim, it holds that 




h 
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The claim follows because 1 - /i((l -x)/2) > xV(21n2) for < X < 1. ■ 

Now let us consider the situation when a quantum measurement is performed in order to 
predict the parity of several independent binary variables. 

Claim 3.2. For every i G [m] let cjg and a\ he quantum states of equal dimension. For 
a £ {0, 1}, let Pa =^Eaie...ea™=a [f^ai ® • • • ® <J ■ Then 

m 

\\P0 - PlWtr = ll^o - fllltr • 
i=l 



Proof. Write: 



Po-Pi- 2m 



l-^{al-al)0...^ia^-aT). 



and the claim follows from the fact that the trace norm is multiplicative with respect to the 
tensor product. ■ 

3.2 Communication complexity 

In this work we are interested in the following model of communication complexity. 

Definition 2. (Multi-party SMP) The k-party simultaneous message passing (SMP) model 
involves + 1 parties: k players Ai, . . . , Ak and a referee. For every i £ [k], Ai gets input 
Xi. They each send one message to the referee, who uses the content of all k messages to 
compute the output value. 

A communication protocol describes the action of each participant. The cost or complex- 
ity of a protocol is the total length of the messages sent by Ai 's to the referee. We say that 
a protocol solves a computational problem defined over k input values if the referee gives a 
correct answer with probability at least 2/3 for each possible input. 

In this paper we will consider several further modifications of the SMP model: 

• In the quantum SMP model the players Ai, . . . , Ak are allowed to send quantum mes- 
sages, and the referee can perform any quantum measurement in order to determine 
the output value. 

• In the SMP model with shared randomness the players ^i, . . . ,Ak have free access to 
the same string of random bits that were chosen independently from the input values. 

• In Section U] we define a hierarchy of modes of shared randomness in multi-party pro- 
tocols (where the strongest mode is the standard one, as described above). We demon- 
strate exponential separations between the levels of the hierarchy (i.e., the hierarchy is 
"proper"). 

We call a communication protocol efficient if its cost is poly-logarithmic in the length of 
input. 
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3.3 Read-A; families of functions 



Let us consider the following model of dependence among random variables. 



Definition 3. (Read-fc families) Let Xi, . . . , Xm be independent random variables. For j € 
[r], let Pj C [m] and let fj be a Boolean function of {Xi)-^p_. Assume that \{j \ i & Pj}\ 1^ k 
for every i G [m]. Then the random variables Yj = fj{{Xi)i^p.) are called a read-k family. 

The following lemma is due to Finner |Fin92j . 



Lemma 3.3. [Fin92j Let Yi,...,Yn be a read-k family of random variables taking non- 
negative values. Then 



E 



i=l . 



<nvE[(>^i)']- 



i=l 



Note that the generalized Holder inequality implies that E [fl Yj] < Yl \/E [(^i)*^] holds 
when the variables Yi, . . . ,Yn are arbitrarily dependent (making no independence assumption 
corresponds to choosing "A; = n" in the lemma condition). On the other hand, when k = 1 
(i.e., Yl, . . . ,Yn are mutually independent), the expectation of their product equals the prod- 
uct of their expectations. Accordingly, Lemma 13.31 gives a natural "interpolation" between 
these two extreme cases. 



4 Hierarchy of shared randomness in multi-party protocols 

Let A; > 3. Then it is possible to give k parties ^i, . . . ,Ak access to shared randomness in 
several different ways. 

Most naturally, the parties may have free access to the same string of random bits - let 
us call this mode unrestricted or k-shared randomness. Note that this mode of shared ran- 
domness is the strongest one, and it is often implicitly assumed to be available to the players; 
for example, unrestricted shared randomness is required in order to be able to use mixed 
strategies, and therefore applicability of the Minimax principle in multi-party communication 
depends on it. 

Second, for every fixed i € {2, . . . , A — 1} we can define the mode of t-shared randomness, 
where every t players share their own string of random bits. Sometimes we will refer to the 
(A — l)-shared mode as randomness on the forehead. 

Finally, every Ai can be given access to an arbitrarily long random string r^, such that 
every (A — 1) r/s are uniform and mutually independent but the bit- wise XOR of ri, . . . , 
is everywhere. We will call this mode XOR-shared randomness. 

If we consider the case of A = 2, we can see that XOR-shared and 2-shared modes are 
the same. For A = 3, we already have 3 modes of shared randomness that offer different 
computational power (as shown below): XOR-shared, 2-shared and 3-shared. 

In general, t-shared randomness is always at least as strong as (t — l)-shared randomness, 
as the latter can always be emulated using the former. Also, XOR-shared randomness can 
be emulated in the 2-shared mode for A > 3; to do that, let equal the bit- wise XOR of the 
random string shared between Ai-i and Ai and the random string shared between Ai and 
Ai+i — now the strings ri, . . . ,rk are distributed as required by the definition of XOR-shared 
mode. 
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One interesting example that demonstrates usefulness of XOR-shared randomness when 
> 3 is the multi-party equality function - this is a total Boolean function of k arguments 
xi, . . . ,Xk that takes value 1 if and only if xi = X2 = ■ ■ ■ = x^- 

Claim 4- 1- For any c G N, there exists a classical protocol for the k-party equality function, 
where XOR-shared randomness is used, each player sends c bits to the referee, and the 
following holds: 

• If xi = X2 = ■ ■ ■ = Xk, then the referee's answer is always "1"; 

• otherwise, the referee's answer is "Q" with prohahility 1 — 1/2'=. 

Proof. For r, x G {0, 1}" let Xr{x) '= (Bi:r{i)=i^(,'i)- Consider the following protocol V, where 
the players use XOR-shared randomness and each of them sends a single bit to the referee: 

1. For all i G [k], the i'th player uses his random string G {0,1}" and computes 
mi '= Xrii^i), then sends rrij to the referee. 

2. The referee outputs -■(mi © ... © m^). 

By the definition of XOR-shared randomness, ri© . . .©r^ = 0. Therefore Xri®...®rk i^k) = 
0, and we can write 

mi © . . . © mfc = Xri (Xl) © . . . © Xrfc {xk) 

= Xnixi) ® . . . ® Xrt,{xk) © Xri®...®rfc(2;fc) (1) 
= Xri {xi © Xk) © Xra (2:2 © 2;fc) © . . . © Xr^^i {Xk-1 © Xfc). 

Note that ri, . . . , rfc_i is a uniformly random {k — l)-tuple of n-bit strings, and therefore 
the rightmost part of ([I]) equals 1 with probability exactly 1/2 if at least one of the k — 1 
values xi © Xfc, . . . , Xk-i © Xk is different from 0. If, on the other hand, xi = X2 = • • • = xj^ 
then ([1]) equals with certainty. 

Accordingly, V outputs "1" whenever xi = X2 = • • • = x^, otherwise it outputs "0" 
with probability 1/2. To get a protocol as promised by our claim, we can run c independent 
instances of V in parallel and output "1" if and only if all c instances answered "1". H 

Let us see that the modes of shared randomness form a proper hierarchy when A; > 3. 

Tlieoreml2.it Let k > 3. Then 

• For each t G {3, . . . , k}, there exist a k-party promise function that can he solved by a 
protocol of cost t in the SMP model with classical communication and t-shared random- 
ness but requires il(A;n^~(*~^)/'^) qubits in the SMP model with quantum communication 
and {t — 1) -shared randomness. 

• There exist a k-party total function that can be solved by a protocol of constant cost in 
the classical SMP model with 2- shared randomness but requires Q{y/n) bits of commu- 
nication in the classical SMP model with XOR-shared randomness. 

• There exist a k-party total function that can be solved by a protocol of constant cost 
in the classical SMP model with XOR-shared randomness but requires il{^/n) bits of 
communication in the classical SMP model without shared randomness. 
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Proof. To prove the first part of the theorem, consider the t-party problem QVt, letting the 
players ^i, . . . ,At receive the corresponding fragments of input. Theorem 1 2. 2 1 which will be 
proved in the next section, implies the result in this case. 

The second part follows from considering the 2-party equality problem, when the input is 
distributed between Ai and A2- It was shown in |NS96j that the communication complexity 
of the equality problem is f^(-y/n) if the players (in our case, Ai and A2) do not share 
randomness. 

The third part follows from Claim 14.11 and the same lower bound on the communication 
complexity of the 2-party equality problem (the A;-party equality is obviously at least as hard 
as the 2-party version). ■ 

Remark: Besides the elegance of its own, the hierarchy of shared randomness is a useful 
technical tool. For our lower bound proof for the quantum complexity of QVk (which is the 
main technical result of Section Ej) we need different modes of shared randomness. Informally 
speaking, we use a hybrid argument that puts certain restrictions on the input values, and 
those restrictions inevitably create shared randomness of certain type that becomes available 
to the players. We show that the sort of randomness that is introduced corresponds to 
one of the restricted modes of shared randomness, whose availability does not make the 
communication problem easy for quantum communication. 

5 Shared randomness vs. quantum communication 

In this section, we will analyze the complexity of GVk to compare the resource of shared 
randomness to that of quantum communication in multi-party protocols. 

Fix k > 3. Recall that in the classical SMP model with shared randomness GVk has a 
trivial solution, where each player sends one bit to the referee. 

As a warm-up, consider the case of quantum protocols without shared randomness^ Let 
V he a quantum protocol that communicates c qubits and solves QVk, and let Uk be the 
uniform distribution over fc-tuples {xi, . . . ,Xk) G {0, 1}"^'^. Now consider the behavior of V 
when the input is distributed according to lAk (note that such input is almost never valid for 



For i € [k], let cjj be a density matrix representing the (mixed) state that the referee 
receives from Ai when the input distribution is Uk- Since the senders share no randomness 
and Uk is a product distribution, the state of the referee before his measurement is performed 
can be written as ai ® . . . ® ak- 

For i € [/c], let Xi be an n-bit random string taking the value of input Xj. By Claim [3T| 
there exists jo £ [n] such that 



^ We shall see soon why in the actual proof we have to consider different modes of shared randomness, even 
if our only purpose was to get a lower bound on the complexity of QVk in the quantum model without shared 
randomness. 



QVk). 



k 




(2) 



where is the message from Ai, conditional upon Xj(jo) 



= a. 
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Since the random variables Xi(jo), . . . , Xk{jo) are mutually independent and each Xj(jo) 
can be correlated only with Uj. Accordingly, Claim 13.21 together with Q imply that the 
referee can predict Xi(jo) ® . . . ^kiJo) with probability at most 

i=l 

Note that ([3]) guarantees that the "advantage over random guess" that the referee can 
have in predicting of Xi{jo) ® . . . © X^iJo) using the messages received from the players is 
o(i/n), as long as A; > 3 and c G o(/cn^~^/'°) . Moreover, similar reasoning can be applied 
to conclude that for most of the values of jo G [n], the possible advantage in predicting 
-^i(jo) © • • • © Xk{jo) must be very small. 

With this observation in hand, we would like to apply a "hybrid-like" reasoning, arguing 
that in order to distinguish between those inputs where most of bit-wise XORs equal and 
those where most equal 1, a protocol should be able, informally, to "accumulate advantage" 
from different input positions. We would like to claim that this is impossible, as long as the 
advantage is negligible for almost every jo G [n] . 

Here comes the main subtlety of our proof. Note that using hybrid-like argument puts 
a condition on a part of the input: Specifically, in order for the "hybrid scenario" to get 
through, it has to be argued that it is hard for the protocol to predict most of the values of 
Xi{j) © . . . © Xfc(j), even if the players "know" the values of Xi{j') © ... © Xk{j') for those 
j"s that were considered in the earlier stages of the induction. But such conditioning creates 
certain type of shared randomness between the players, and we can no longer assume mutual 
independence of the messages received by the referee, as we have done in the reasoning above. 

Recall that we are dealing with a communication problem that is easy in the presence of 
shared randomness even classically, then how can we hope for quantum hardness, as required 
for the hybrid argument to be applicable? It turns out that the mode of shared randomness 
that results from using the hybrid method is not powerful enough to make the problem easy, 
even for quantum communication. Our proof of Lemma 15.11 follows rather closely the outline 
given above, but it also contains some new ingredients required to make the argument robust 
against weaker modes of shared randomness. 

5.1 Exponential Separation for multi-party protocols 

We are ready to prove our main technical statement. 

Theorem\2.2[ Let k > 3. The k-party promise function QVk can be solved by a classical SMP 
protocol of cost k (where each player sends a bit), using shared randomness. For 2 < t < k — 1, 
in the SMP model with quantum communication with t-shared randomness, the complexity of 
QVk is 0(fcn^~*/''). In particular, in the SMP model with quantum communication without 
shared randomness, the complexity of QVk is ^{kn^~'^^^^ . 

First, we set up notation to describe protocol V which uses t-shared randomness. Let 
Vfc,t = {S* C [k] : \S\ = t}. For any S G Vk,t-, let Rs be the random string (of arbitrary 
length) shared by the AiS for i £ S. Then Ai holds the Rs^s for all S G Vk,t containing 
i. For convenience, let Ri = {Rs)i£S£Vk t (tri)-tuple of these random strings. For 

each instantiation Rs = rs, let fj = irs)i£SeVk t ^he corresponding instantiation of Ri. 
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In addition, let R = {Rs)seVkt (t)"tuple of all shared random strings, and let r = 

{rs)s<=Vkt instantiation of R. For each i £ [k], Ai sends a quantum state pl-^f. 

conditional upon receiving input Xi and random strings Ri = fi. Let Cj be the length of 
the quantum message sent by Ai] i.e., the length of state ^. is q qubits. By assumption. 

As before, let Uk be the uniform distribution over /c-tuples (xi, . . . G {0, i}"^^. To 
prove the theorem, we will use the following lemma. 

Lemma 5.1. Let 2 < t < k — 1, and let V be a quantum SMP protocol of cost c = o{kn^~^/^) 
that uses t-shared randomness as defined above. Suppose the player Ai receives the random 
input Xi for {Xi, . . . ,Xk) G U{{0, 1}"^^). Then there exists J C [n] of size at least 2?i/3, 
such that for every j G J a referee who is allowed to apply arbitrary quantum measurement 
to the messages received according to V can predict the value of Xi{j) (B ■ ■ ■ ® Xk{j) with 
probability at most 1/2 + o(l/n). 



We will first prove Theorem 12.21 assuming Lemma 15. li 

Proof of Theorem\KM Let "P be a quantum SMP protocol of cost c = o{kn^~^^^) that uses 
i-shared randomness. We will show that there exist L = [3ri/4j H coordinates Ji, . . . , Jl G [n] 
satisfying the following conditions. For I G [L] and a G {0,1}, let Wi^a be the set of k- 
tuples (xi, . . . , Xfc) G {0, lY^^ satisfying xi{j) © • • • Xk{j) = a for j = ji, j2, ■■■,ju and let 



Tla = E 



for (Xi, . . . ,Xk) ~ U{Wia) (here the expectation is taken 
with respect to the Xj's and Rs's). Then: (1) ||ri^o — ''"i,i||tr = o{l/n); (2) for any I G [L — 1], 
llr^^o ~ ''"i+i.olltr = o(l/n) and Hr; i — Ti+i^iHtj. = o(l/n). If this is true, then by the triangle 
inequality, 

L-l L-l 
||tL,0 - TL,l\\tr < ^ \\tI,0 " Tl+l,o\\tr + ^ ||tz,1 - Ti+l,l\\tr + \\ti,0 " Tl,l||ir 

;=i 1=1 
= o{L/n) 

= 0(1). (4) 

On the other hand, for any (xi, . . . , x^) G Wifl, it holds that |xi © X2 ® • • • © x^l < n — L < 
n/3 and hence QVkixi, ■ ■ ■ , Xk) = 0. Similarly, for any (xi,...,Xfc) G Wl,i, it holds that 
|xi © X2 © • • • © X/fc| > L > 2n/3 and hence GVkixi, ■ ■ ■ ,Xk) = 1. Therefore, if the referee 
can correctly predict the value of OVki^i, ■ ■ ■ , Xk) on any (xi, . . . , Xk) G Wifl U Wl,i, then 
he should be able to distinguish between r^^.o and r^^i with probability at least 2/3, which 
implies that Wtl^o — TL,i\\tr = ^^(1). But this is contradictory to ([4]). So the referee must fail 
to solve QVk on some valid input from Wla or Wl,i- 

To find the desired ji, . . . , Jl, we use one initial step and L — 1 inductive steps as follows. 

Initial Step: Consider the behavior of P on the random input (Xi, . . . , X^) G h({{0, 1}"^'^). 
By a straightforward application of Lemma [5. 11 there exists J C [n] of size at least 2n/3 such 
that, for any j G J, the referee can predict the value of Xi(j)(B- ■ • ©Xfc(j) with probability at 
most 1/2 + o(l/n). In other words, for any j G J, we have ||cro(j) — cri(j)||tr = o(l/n) where 
aa{j) is the expectation of = ® • • • © = conditional upon Xi{j) © • • • © Xk{j) = a, 



In fact, our statement holds for any L < (1 — e)n^ where e can be any smaU constant. 
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for a G {0, 1}. Set ji to be any j G J. Then ||ri,o - n,i||tr = \Wo{j) - (^i{j)\\tr = o(l/n) as 
desired. 

Inductive Step: Suppose now we have fixed ji, ■ ■ ■ ,ji G [n] for some / < 3n/4. Let 
T = {ji, ■ ■ ■ ,ji} and T" = [n] \ T. 

Let us consider the behavior of V on the random input {Xi, . . . ,Xk) ~ UiWifi) (recall 
that Wifl is the set of (xi, . . . G {0, satisfying (xi © • • • © x^It = 0). Note that 
the XiS are not completely independent, but only [k — l)-wise independent. So there exists 
some correlation among the inputs to different players, which might be exploited to gain some 
advantage. However, we will show that, even in this case, the referee can still predict the 
value of Xi{j) © • • • © Xk{j) with probability at most 1/2 + o(l/n) for at least 2/3 fraction 
of j G 

Let Yi = {Xi)s- Then {Yi, . . . ,Yk) is uniformly distributed among all (yi, . . . , G 
{0, 1}'^*^ satisfying yi ® • • • ® yu = 0. Namely, (Yi, . . . ,Yk) can be viewed as some XOR 
randomness (which is a special kind of 2-shared randomness) shared by the players. Also, 
note that the (Xj)5c's are i.i.d. with {Xi)s<^ ~ ^({0, l}""'), and they are also independent 
from the 5^'s. Finally, the i^'s and {Xi)s<^^s are all independent from the Rs^s. 

Now consider the following protocol V' which attempts to solve QVk for (n — /)-bit 
strings. The players share XOR randomness (y/, . . . , Yj^ which has the same distribution 
as (Yi, . . . In addition, they also share t-shared randomness {R'g)s<=:Vk t which has the 

same distribution as {Rs)seVk t- Furthermore, the y/'s and R'g's are independent. Now sup- 
pose Ai receives input x- G {0, 1}"~' and random strings Y- = yi, R[ = fj. Then Ai first finds 
the unique xi G {0, 1}" such that {xi)T = yi and [xi)T<^ = x[, and then sends the quantum 
message pi - oiV to the referee. 

Since the (y/, . . . ,y^') is a special kind of 2-shared randomness, V' uses only max{t,2}- 
shared randomness. So by Lemma fS . 1 1 (replacing the original n by n—l and noting that n—l = 
0(n), since I < Sn/A), we know that, on the random input {X[, . . . , X^) ~ ^({0, l}("-Oxfc)^ 
there exists J' C [n — I] of size at least 2(n — l)/3 such that for any j G J' the referee can 
predict the value of X[{j) © • • • © X'f^{j) with probability at most 1/2 + o(l/n) using the 
messages received according to T". Meanwhile, by the construction of ^-'s, y/'s, R'g^s and 
V' , it is obvious that the joint message sent according to V' has the same distribution as 
- © • • • © B • In addition, the bits of X' are in one-to-one correspondence with the 
bits of (Xj)'rc. Thus, getting back to the original protocol V, we know that, on the random 
input {Xi, . . . , Xk) ~ UiWifl), there exists Jq C T'^ of size at least 2(n — /)/3 (corresponding 
to J') such that for any j G Jq the referee can predict the value of Xi(j) © • • • © Xk{j) with 
probability at most l/2+o(l/ n) using the messages received according to V. So for any j £ Jq, 
we have ||(To(j) — cri{j)\\tr = o{l/n), where o"a(j) is the expectation of p^, ^ © • • • © „ 
conditional upon Xi{j) © • • • © Xk{j) = a for a G {0, 1}. Now if we set = j, then 
depending on the value of xi{j) © • • • © X/fc(j), Wi q is split into to two equal-sized subsets: 
Wi+ifi and Wifl \ W«+i,o- It follows that = {ao{j) + cri{j))/2 and r^+i^o = cro{j), and 

hence ||rz,o - Tz+i,o||ir = ^ = o(l/n). 

By a similar argument, we can also prove that, on the random input {X\,...,X]^ ~ 
lAiyVi^i), there also exists J\ C of size at least 2(n — /)/3 such that for any j G J\ the 
referee can predict Xi(j) © • • • © X^ij) with probability at most l/2-|-o(l/n). Then, if we 
set ji+i to be any j G Ji, then we get ||ri,i - Tij^\.\\tr = o(l/n). 

Now since | Jo|, | Ji| > 2(n — /)/3, Jq n J\ must be non-empty. We set to be any 
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j £ Tq nTi. Then we achieve both ||r/^o — ''"/+i,o||ir = o(l/n) and \\ti^i — T[+i^i\\tr = o(l/n). 

Iterate this inductive step L — 1 times, and in the end we obtain the desired ji, . . . , j^. 
This completes a proof of the theorem. ^TheoremW^ 

Proof of Lemma [5A[ Let o"^ ^{j) be the expectation of p* - conditional upon Xi{j) = a and 
R = f, for any i £ [k], j £ [n], a £ {0, 1} and possible r. Define Oj^^ E M" as 

(Xi,rU) = lko,r(j) - (^l,rU)\\tv (5) 

Then by Claim [3Tl 

n 

Y.Mj)? < 0{c^). (6) 
i=i 

Taking the sum of both sides over i £ [k] and using X]i=i = c yields 

k n 

Y.^{a.Aj))'<0{c). (7) 



i=i j=i 



This holds for any possible f. So 



E 



k n 

i=i i=i 



< 0(c). 



(8) 



(Here the expectation is taken with respect to the Rs^s). Thus, there exists some J C [n] of 
size at least 2n/3 such that, for any jo £ J, 

k 



E 



i=l 



<o{- 

.n 



(9) 



Let o"a j-?(jo) be the expectation of p\ 



Xi,Ri 



p 5 conditional upon Xi(jo) 



-'^fe(jo) = and R = f, for any a G {0, 1} and possible r. Since the Xj(jo)'s are i.i.d. with 
^i(io) ~ ^({0, 1}), and they are also independent from the Rs^s, we have 



O"a,r(j0 



E 

ai©---eafe=a l 



kai,ri(io) 



(10) 



(Here the expectation is taken with respect to the a^'s). So by Claim [3^2] and ([5]) we get 

k 

lko,r(jo) - (^l,rUo)\\tr = JJai,r(jo)- (H) 



i=l 



Now let cra(jo) be the expectation of - 
-'^fc(io) = «, for a £ {0, 1}. Then o-a(jo) = E cra,i?(-?o) 

Iko(jo) - Cri(jo)||tr = II E 

< E 

k 



p\^ = conditional upon Xi(io) © 



E 



Thus, 

^o,i?Oo)J - E [a^^jiijo) 

k 



\tr 



.i=l 
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def 



Note that Zi = a- j^_{jo) is a non-negative function of the Rs^s for i G G Vk,t- (Recall 

that Ri = {Rs)i<^s£Vk t)- Since the Rs's are independent random variables, and each Rs is 
read t times (by the Zj's for i £ S), we know that Zi, . . . , form a read-t family. Thus, by 
invoking Lemma 13.31 we get 



E 



n a»,i?(io) 



i=l 



< n E (a^ ^(jo)) 



i=l 



1/t 



(12) 



Since a. ^(jo) £ [0, 1] and t > 2, we have 



\i=l 



^2l 1 



Then by 



nE[K.?ao))^ 



i/t 



< o 



c \fcA 
knJ 



o I i 

n 



(13) 



(14) 



provided c = o{kn^ */'^). So, we have ||o-o(jo) — o-i(jo)||jr = o(l/n). Namely, the referee can 
predict the value of Xi(jo) © • • • © -'^fc(jo) with probability at most 1/2 + o(l/n). This holds 

for any jo G ■ Lemma dj] 
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